Calibrating permissions

[fehlix]

Suggest, to get this topic moved into Chat area, as I don't see any really HELP requests. Advice's have been given. OP may consider to perform some self-education exercises to get an understanding of relationship between permissions and ownership on different file systems and security of Linux systems.
Thanks

[Eadwine Rose]

Moved

[Jakob77]

Chat is fine with me but I can't take credit for the education.
I was getting nowhere if it wasn't for the friendly people who bother to give me answers.
I can spend more than half a day just failing to make %M work with ls
But if this issue hadn't grown it would have been solved to perfection long ago.

Now, as the folders are getting more complicated I don't know about the quality anymore but I think Felix draws an interesting line in the sand, and I would like to dwell by it a little.
What are the safe user folders permissions supposed to be.?

Do we agree it is 700 for:

700 .thunderbird
700 .mozilla


And 755 for the rest:


755 .conky
755 .config
755 Documents Dokumenter
755 Desktop Skrivebord
755 Pictures Billeder
755 Download Hentet
755 Public Offentligt
755 Videoclip Videoklip
755 Music Musik
755 Templates Skabeloner

?

how about ~/bin and ~/.icons

?


Is someone now going to tell me that all this doesn't matter because the main user folders permissions are protecting all its sub folders.?

[Eadwine Rose]

I think @fehlix meant that you need to read up more on things to learn.

self-education means: not asking for help on forums, but finding info out and about on your own.

[Jakob77]

No matter how much I read I might never get my head around the "find" syntax but it is really an amazing command.
This one works better than the one I used before.
It goes directly to the folder (~/.config) no matter where the Terminal is opened, and the output for this job is almost like candy:

Code: Select all

find ~/.config -printf "%M %m %p\n" | column -t

Sending output to a logfile can also be done:

Code: Select all

find ~/.config -printf "%M %m %p\n" | column -t > ~/config-perm.log

About ~/.icons I have decided to erase all added mouse cursors so there will be only the user panel icons left.

That is just:

.svg
.png
.txt
and a couple more



chmod will then be used accordingly to my list of general permissions for specific files:

Eks:

Code: Select all

chmod 644 ~/.icons/*.txt

644 for:

*.txt
*.jpg
*.xcf
*.odt
*.ods
*.gif
*.png
panelbackup - *.tar.xz



777 for:

*.svg
*.desktop


755 for:

scripts
*.desktop



This is also a home made list like the one about the folders.
Some more valid doc would be very okay.


But this was my cure for ~/.icons

[Jakob77]

Except for ~/.thunderbird I am now almost done making the script that fixes permissions for all files and folders that has to come from my backup, when I do a new MX install.
It is all hard coded for my tree so it is not worth sharing, and permissions can be an endless discussion, but if someone wants to discuss a folder or two, I hope there is still room for it here.


The folder discussion .... I am experimenting with internal fencing the farm some more by making folder permissions more restrictive. It might cause dysfunctionality at some point, so it is not a recommendation but I am a little curious about where that point is, and maybe others knows about it and wants to share their experience.

Both about that and the script, I believe it is best to make it on individual basis because only the user her/himself knows about the data that needs to be restored and how they are going to be used. No one else can know the folders or what is in them.

For me it has been rough to realize that permissions in my backup are messed up.
But like always in MX, we find ways to solve the issue and come out stronger... and maybe even faster.
I guess the commands I have been guided to use in this subject, when they are put in my script, can correct permissions for my whole restore (except .thunderbird) in less than two seconds. And afterwards it is brought up to a higher standard than ever before. - Thank you.

[FinalFox420]

Except for ~/.thunderbird I am now almost done making the script that fixes permissions for all files and folders that has to come from my backup, when I do a new MX install.
It is all hard coded for my tree so it is not worth sharing, and permissions can be an endless discussion, but if someone wants to discuss a folder or two, I hope there is still room for it here.

I would not recommend hardcoding anything like this, you are bound to miss something or run into even stranger issues. Just make a fresh bkp with a properly formatted drive that supports file modes/permissions ex. ext4

OR if you need windows to hold the backup AND still preserve permissions, there is a tar option "-p" which will preserve your perms.
This is my recommendation for backups in general as it will preserve directory structure and offer many more features like compression.

tar might seem harder, but it will save you lots of time in other ways, just read up on "man tar".

Again you can mount FAT partitions with different default perms with "uid, gid, fmask, dmask, umask" under the section "mount options for fat" within "man mount".

[Jakob77]

Except for ~/.thunderbird I am now almost done making the script that fixes permissions for all files and folders that has to come from my backup, when I do a new MX install.
It is all hard coded for my tree so it is not worth sharing, and permissions can be an endless discussion, but if someone wants to discuss a folder or two, I hope there is still room for it here.

I would not recommend hardcoding anything like this, you are bound to miss something or run into even stranger issues. Just make a fresh bkp with a properly formatted drive that supports file modes/permissions ex. ext4

I don't know if I misunderstand and maybe you have a point that MX can run okay anyway, but it is hard for me to see the point in doing a completely correct backup of permissions that are badly messed up.
By hardcoded I meant created with commands fitting my tree and the files in it. I can't really see what is wrong with that. I think missing a file or two will be better than missing them all, and I don't know what you mean by stranger issues.?
I believe it is good for safety when text files, pictures and videos are forbidden to run as programs.
And I am so happy now I have the codes in a script. I don't have to remember them, and the cure for a whole data restore is very fast.
If I was using code from the Terminal line by line it would be slow and the risk of something going wrong would be much bigger. For instance if the command for '~/Pictures' was used in '~/' it would be a disaster.

[Jakob77]

I thought we were digging into the bottom of this but andymx has a backhoe with an impressive long arm, and he actually picked up something about extended permissions (ACL) I would like to clarify in this context:

Meaning of a + at the end of permissions
viewtopic.php?t=77604

Code: Select all

setfacl

setfacl 2.2.53
setfacl --help

-x, --remove=acl remove entries from the ACL(s) of file(s)
-X, --remove-file=file read ACL entries to remove from file
-b, --remove-all remove all extended ACL entries
-k, --remove-default remove the default ACL

I don't know what option to choose yet but since ACL is not used or needed in MX, will it not be logic to remove ACL from all files and folders as a part of the permission calibration routine.?








Edit 9dec2023:

I have not taken it further yet but I have located the main problem to ntfs
I should have used ext4 on the drive for my copy backup.


I have asked in Thunderbird forum but they don't answer:

File- and subfolder permissions hacked and messed up
https://support.mozilla.org/da/forums/s ... last=86169

[Jakob77]

Maybe I have finally found a peasant solution for .thunderbird so I can get rid of the permissions made by ntfs allowing all files to run like programs.


The rationale is as follows:

I have for many years used Fat32 for my backup, .thunderbird included.
And it looks like Fat32 takes all those permissions away, so if I just do that again and restore, the illness in quest will be cured.
There are some symbolic files I can't copy to Fat32 but Thunderbird doesn't seem to care.
So I assume it doesn't matter.

Any objections.?


I'm in the process of testing it and I can't see anything wrong.
Except, I think, something about the very important grumpy fehlix point:
viewtopic.php?p=745703#p745703
The restored .thunderbird directory has lost its restrictive permissions so they have to be fixed.

Code: Select all

chmod 700 ~/.thunderbird

Any objections.?